JWT Decoder & Verifier
Decode a JSON Web Token to inspect its header, payload and claims, and optionally verify its HS256 signature — entirely in your browser. Your token never leaves your device.
How to use it
- 1Paste your token
Paste a JWT into the box. The header and payload are decoded instantly as you type.
- 2Read the claims
Review the decoded JSON and the issued-at, not-before and expiry dates, with a badge showing the token’s status.
- 3Verify the signature (optional)
For HS256 tokens, enter the secret and click Verify to confirm the signature matches.
See exactly what a token contains
A JWT is three base64url segments — header, payload and signature — joined by dots. This tool decodes the first two into readable JSON and highlights the standard time claims (iat, nbf, exp), showing at a glance whether the token is still valid, expired or not yet active.
Verify HS256 signatures locally
Paste the shared secret and the tool recomputes the HMAC-SHA256 signature with the Web Crypto API to confirm the token is authentic and untampered. Because everything runs on your device, you can check production tokens and secrets without sending them anywhere.
Frequently asked questions
Is my token sent to a server?
No. Decoding and verification run entirely in your browser; your token and secret never leave your device.
Does decoding a JWT reveal the signature secret?
No. The payload is only base64url-encoded, not encrypted, so anyone can read it — but the signing secret cannot be recovered from the token.
Which signatures can it verify?
HS256 (HMAC-SHA256) signatures, using the secret you provide. RS256 and ES256 (public-key) verification are not supported yet.
What do the expiry statuses mean?
"Expired" means the exp claim is in the past, "not yet valid" means the nbf claim is in the future, and otherwise the token is within its valid window.
Related tools
Base64 Encoder
Encode text to Base64 or decode Base64 back to text in your browser. Full UTF-8 support, copy with one click — nothing is sent to a server.
JSON Formatter
Format, minify and validate JSON in your browser with precise error locations. Fast, private and free — your data never leaves your device.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from text in your browser with the Web Crypto API. Copy the hex digest — nothing is sent to a server.